Nuts Node JWT Type Confusion Vulnerability in Access Token Introspection Endpoint Allows Verifiable Presentation Replay

A vulnerability exists in the Nuts Node implementation of the Nuts specification, specifically in versions prior to 6.2.3 and 5.4.31. The issue arises in the v1 access token introspection endpoint, which improperly accepts any JSON Web Token (JWT) signed by a key available on the node. This acceptance is made without validating crucial aspects such as the JWT type, the binding of the issuer to the signing key, or required claims. As a result, a Verifiable Presentation (VP) JWT can be replayed as an access token, receiving an 'active: true' response during introspection.

Impact

Exploitation of this vulnerability allows for the unauthorized replay of Verifiable Presentation JWTs as access tokens, potentially bypassing access controls on resource servers.

Reproduction

To reproduce this vulnerability, first obtain a VP JWT from an organization (Org A) during a standard access token request flow. Org A will create a VP JWT signed with its key and send it to another organization (Org B) to request an access token. Org B can then present this VP JWT to Org A's resource server as a bearer access token. When the resource server calls the introspection endpoint, the missing validations allow the VP to be accepted as a valid access token, despite not meeting the necessary requirements.

Remediation

Users can update to Nuts Node versions 6.2.3 or 5.4.31, where this vulnerability has been fixed. If an update is not possible, resource servers can manually validate the introspection response by rejecting any tokens with empty 'service' or 'iss' fields, or where the 'sub' claim does not match the expected requester DID.